The present invention relates to processing, for example monitoring, verifying, securing, and so on, movement of items along a route, e.g. a supply chain, between different entities. The present invention also relates to apparatus for implementing such processing. The present invention relates in particular, but not exclusively, to securing or verifying a route of an RFID (radio frequency identification) tag attached to an item of interest.
Processes are known for verifying movement of an item between different entities. For example, there is a commercial and safety requirement for a supply chain of branded goods, in particular pharmaceutical products, to be verified to avoid counterfeit products being introduced into an authorised supply chain.
RFID tags are well known. RFID tags are circuits in the form of label-like items that can be read (and sometimes also written on) by reader (and writer) units communicating with the tags at RF frequencies. Further details of RFID tag technology can found in, for example, Landt, Jerry (2001), “Shrouds of Time: The history of RFID”, AIM, Inc.
It is known to attach RFID tags, written with batch or unique codes, to items, and to monitor received items for authenticity by reading the RFID tag attached thereto. Conventionally, read-out data is sent to remote parties for comparison with stored data of valid items.
It is known to establish an electronic pedigree (also called an e-pedigree). An e-pedigree provides a record of data such as arrival and departure times of specific items, e.g. during manufacture, shipping and so on. An entity in a supply chain or other route receiving an item can access e-pedigree to evaluate the item's authenticity. A proposed standardised e-pedigree approach using RFID technology is known as EPCglobal, further details of which van be found at, for example, www.epcglobalinc.org or from GS1 US, Princeton Pike Corporate Center, 1009 Lenox Drive, Suite 202, N.J. 08648 Lawrenceville.
EPCglobal has proposed an architecture where each tag is given a 96-bit unique code and where each entity in the supply chain can publish information about the product through a so-called EPC information service. An EPC information service is a database that provides a standardized query interface. To enable the end-to-end visibility of information across different entities, two approaches are suggested. One approach is to replicate or “push” fragments of e-pedigree information into a database operated by a trusted third party. Entities would use an EPC information service interface to this database to access and validate e-pedigree information. A second approach is to operate a so-called discovery service that references distributed EPC information services operated by individual supply chain participants. The entity would use the discovery service to identify the location of fragments of e-pedigree information and retrieve them from different EPC information services.
Referring to prior patent publications, International application WO 2006/057390 (“NEC”) relates to a distribution channel authenticating system intended to enable detection of counterfeiting and false alteration of distribution channel information by a false third party.
United States application US 2007/112574 (“Greene”) relates to systems, methods and software programs intended to provide software intelligence to RFID tags.
Japanese application JP 2006-273511 (“NEC”) appears to relate to a portable reader reading an RFID tag on goods delivered by courier to a customer, and at the same time reading an ID from the customer location to validate delivery.
Chinese application CN 1776721 (“Peng Feng”) discloses a system for validating the truthfulness of goods. The system is said to be composed only of an unscrambler and a tag. Manufacturers are able to prepare and configure tags using their own digital signature and purchasers are then said to be able to verify the truthfulness of goods easily and reliably.
United States application US 2005/049979 (“Collins et al”) relates to a method, apparatus and system for determining a fraudulent item. Anti-forgery RFID tags are utilised with additional measures to thwart would-be forgers. Each anti-forgery RFID tag comprises a unique or semi-unique number that, along with a private key possessed only by the legitimate product manufacturer, determines a signature that is preferably printed on the product packaging. Utilising the number on the anti-forgery RFID tag and a public key corresponding to the private key, the signature may be verified by standard public-key cryptographic methods. The validation of the signature identifies the product's authenticity.
The present inventors have realised that approaches such as e-pedigree, and particularly when involving approaches such as use of a discovery service, exhibit a disadvantage that different entities in a route, e.g. a supply chain, are required to divulge information that may otherwise be confidential. Furthermore, the present inventors have realised that ongoing verification requires ongoing querying of remote centralised information resources, hence there is a potential for large levels of disruption of service when a centralised resource is unavailable.
In a first aspect the present invention provides a verification apparatus for use in verification of a route taken during movement of an RFID tag, the verification apparatus comprising: a trusted platform module; sealed storage comprising a store for storing a private key; and one or more processors arranged to: (i) use the private key to provide, for the given RFID tag identity, an encrypted signature; and (ii) forward data comprising the encrypted signature to an RFID tag writer for writing to the RFID tag.
The apparatus may further comprise: one or more stores for storing a public key and a policy; and the one or more processors may be further arranged to: (i) receive, from an RFID tag reader, data read-out from the RFID tag and comprising an RFID tag identity and an encrypted signature; (ii) use the public key to decrypt the encrypted signature from the data read-out from the RFID tag; and (iii) verify that the decrypted signature corresponds to a first entity from which, according to the policy, a second entity associated with the verification apparatus is authorised to receive an RFID tag with the given RFID tag identity.
The sealed storage may further comprise one or more of the stores for storing a public key and a policy.
In a second aspect the present invention provides a verification apparatus for use in verification of a route taken during movement of an RFID tag, the verification apparatus comprising: a trusted platform module; sealed storage comprising one or more stores for storing a public key and a policy; and one or more processors arranged to: (i) receive, from an RFID tag reader, data read-out from the RFID tag and comprising an RFID tag identity and an encrypted signature; (ii) use the public key to decrypt the encrypted signature from the data read-out from the RFID tag; and (iii) verify that the decrypted signature corresponds to a first entity from which, according to the policy, a second entity associated with the verification apparatus is authorised to receive an RFID tag with the given RFID tag identity.
The apparatus may further comprise: a store for storing a private key; and the one or more processors may be further arranged to: (i) use the private key to provide, for the given RFID tag identity, an encrypted signature; and (ii) forward data comprising the encrypted signature to an RFID tag writer for writing to the RFID tag.
The sealed storage may further comprise the store for storing a private key.
Apparatus according to any of the above described aspects may further comprise the RFID tag reader and the RFID tag writer.
Apparatus according to any of the above described aspects may be arranged to allow remote attestation by a third party.
Apparatus according to any of the above described aspects may be further arranged to report the verification to one or more third parties.
In apparatus according to any of the above described aspects, the one or more processors may be further arranged to raise an alarm responsive to the verifying step determining that the decrypted signature does not correspond to an entity from which the second entity is authorised to receive an RFID tag with the given RFID tag identity.
In the apparatus a third party to which verification is reported and a third party by whom remote attestation is allowed may be identical.
In a further aspect the present invention provides a system for verifying a route taken during movement of an RFID tag, the system comprising: a first verification apparatus according to the above described first aspect; and a second verification apparatus according to the above described second aspect.
The system may further comprise a controller apparatus.
The controller apparatus may be arranged to provide one or more of a public key, a private key and a policy to one or more of the verification apparatus of the system.
The controller apparatus may be arranged to perform remote attestation of one or more of the verification apparatus of the system.
Thus aspects of the present invention provide a verification process or system which is relatively resilient and has low vulnerability to single point failure. Only a low level of information needs to be exchanged between adjacent entities in a supply chain. Moreover, no information needs to be shared between non-adjacent entities. The invention may be implemented using standard RFID tag technology.
Various other advantages provided by aspects of the invention are outlined in the following description of embodiments of the invention.